Daniel Solove writes about personal and sensitive data:
A quiet revolution has been going on with personal and sensitive data. There have been many notable developments. In the past few years, we’ve witnessed the triumph of the EU approach to defining personal data and to designating special protections for sensitive data.
We’ve seen a growing recognition in the law that:
- the overwhelming modern consensus in privacy law is to define personal data as identified or identifiable data
- new laws (post-GDPR) are now overwhelmingly recognizing sensitive data, even in the U.S.
- various pieces of non-personal data can, in combination, be identifiable
- the ability to make inferences about data can’t be ignored
- non-sensitive data that gives rise to inferences about sensitive data counts as sensitive data
These are significant developments, yet oddly, they haven’t made headline news.
I recently wrote an article about sensitive data. I argue that because non-sensitive data can count as sensitive data if it gives rise to inferences about sensitive data, all personal data is likely sensitive data with modern data analytics. The paper is:
Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data 118 Nw. U. L. Rev. (forthcoming 2024)
I posted a draft of my this article on SSRN. You can download it for free here.
Read more at LinkedIn.